Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Design guides for Ironport Web Security

Unanswered Question
Apr 19th, 2012
User Badges:

Hi All,

I am looking for a proxy solution for our enterprise network, and considering Ironport WebSecurity S370 appliance.

I am just curious if there is any good design guides on how to properly implement Ironport on the network.

I need best practices documents, i.e.  can I place two units with one virtual IP address and so on.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Ken Stieers Thu, 04/19/2012 - 09:10
User Badges:
  • Gold, 750 points or more

WSA's don't cluster, with a shared virtual IP, how you handle mulitple WSA boxes is a function of how you're redirecting traffic to them.

     WCCP - you just add them as multiple WCCP destinations

     PAC file - you add seperate entries and the browser/app figures out which one is available.

     Policy Based Routing (eg. no Cisco router) - I'm not sure, as I've never done it.

You might be able to use a load balancer, but my feeling is that gets too complicated.

I used this to set up one box using WCCP


There's a caveat when you use WCCP for 2 boxes, you need to tweak the ACL so that you don't get loops:



This Discussion